NCSES Security Plan Form

Last Modified: April 2022

APPENDIX D

SECURITY PLAN FORM
(Attachment # 3 to License Agreement)

August 2018

43

Last Modified: April 2022

NCSES ENCLAVE SECURITY PLAN
Security Plan Type: Researcher:

New License

Amendment

Contractor:

New License

Amendment

Name of Institution/Organization:
Restricted-Use Data Holder Information
Principal Researcher (PR):
Mailing Address:

(Full Address: street, city, zip code. If applicable, department, building name, and office/room number)

Phone Number:

Fax Number:

Email Address:
System Security Officer Information
As stated in the license, the Senior Official (SO), who signed the license agreement, has full and final
responsibility for the security of the restricted-use data. As part of these responsibilities, the SO
shall name a System Security Officer (SSO) in the security plan. The SSO is the person responsible
for maintaining the day-to-day security of the system on which the licensed data reside. The SSO’s
assigned duties shall include the implementation, maintenance, and periodic update of the security
plan to protect the data in strict compliance with statutory and regulatory requirements. The SSO
is not the same person as the PR.
System Security Officer (SSO):
Mailing Address:

Phone Number:
Email Address:

(Full Address: street, city, zip code. If applicable, department, building name, and office/room number)

Fax Number:

Last Modified: April 2022

NCSES ENCLAVE SECURITY PLAN
RESEARCHER & SYSTEM INFORMATION FORM

Complete form for EACH user requesting enclave access. Duplicate page if necessary.

Researcher Name:

Institution/Organization:

Job Title:

Phone Number:

Email Address:

Work Location: Where will you log in from? Select all that applies.
Home:

Address:

Work:

Address:

Workstation Specifications:
Make & Model:
Form Factor:

Desktop

Laptop

Serial Number:

Operating System (Include version number):

Workstation Login Access: Who can log into your workstation?
Yourself:

Other:

If other, specify:

Workstation Monitor Position:

Describe how the workstation is positioned to prevent unauthorized viewing:

Workstation Antivirus:

Describe brand and version of antivirus software installed on workstation and provide details on how
often the software is updated.

The Researcher must initial below to indicate that the following Restricted-Use Data (RUD) security
measures will be complied with:
•
•
•
•
•
•
•
•

Only secure networks may be used to access RUD. (No Public Wi-Fi).
RUD must not be accessed in public places (e.g., Starbucks, libraries).
Computer may not be shared with unauthorized users.
When using RUD, only authorized users may be present.
Password protect personal devices containing authentication tokens.
Personal devices containing tokens may not be shared.
Computer(s) used to access RUD may not relocate outside the United States.
Unannounced audits by NCSES contractor to ensure compliance.

Researcher Signature

Date

Initials:
Initials:
Initials:
Initials:
Initials:
Initials:
Initials:
Initials:

Last Modified: April 2022

NCSES ENCLAVE SECURITY PLAN
The system security officer must initial below to indicate that the following security measures are
in place across all Restricted-Use Data (RUD) research computers and systems:
•
•
•
•
•
•
•

Internal audits are conducted to ensure unused accounts are closed.
Anti-Virus and security patches are up to date on RUD computers.
Passwords: unique, 8 characters minimum with one non-alphanumeric.
Change password at least every 3 months. Bio-Metric Passkeys are allowed.
Enable automatic “password screensaver” within 5 minutes of inactivity.
Laptops are restricted to only one authorized user.
Systems are in place to limit unapproved websites.

Initials:
Initials:
Initials:
Initials:
Initials:
Initials:
Initials:

The RESEARCHER & SYSTEM INFORMATION FORM must be updated if the researcher’s
workstation and/or location changes. Access to the enclave should be system and location
restrictive.
Review and Approval

I have reviewed the requirements of the license security procedures and the contents of this
security plan, which describes the protection measures for the requested restricted-use data files. I
have also instructed the collaborating researchers on the requirements of the security plan. I
hereby certify that this system meets all requirements of the license security procedures and that
the in-place security safeguards adequately protect the restricted-use data.
Principal Researcher Signature

Date

Principal Researcher (type/print) Name
System Security Officer Signature

Date

System Security Officer (type/print) Name
Signing Official Signature
Signing Official (type/print) Name

Date